NIST’s Surprising New Password Recommendation

Few things in life are more maligned by computer users than the requirement to enter a password to unlock access to restricted servers, applications, and websites. While most of us understand the age-old necessity for protecting private information against prying eyes, this understanding does little to eliminate the challenge of selecting strong passwords, and then remembering and correctly entering them.

Hidden Costs of Forgotten Passwords

Forgetting or mis-keying credentials typically leads to legitimate access being disabled and subsequent steps to reactivate. Contacting a company help desk and awaiting assistance can be frustrating for both sides and, according to experts at Gartner and Forrester Research, accounts for 20-50% of help desk activities and can cost companies upwards of $70 per event.

As one of the easier overhead costs to track and calculate, some mid-sized companies report a six-figure impact associated with annual reset activities.

Users Find Easy Ways to Remember

Traditional thinking demands the use of a complex password to reduce the risk of being easily guessed or cracked. Password policies often mandate the inclusion of digits and special characters in order to make the password appear more cryptic.

The overall intent is to resist simple passwords such as dictionary words and laughably abysmal passwords such as “password123,” “123456,” and “abcde.” Character substitutions, such as using the number 1 as a replacement for the letter “i” and the “$” symbol for the number 3, help to satisfy policy requirements while deeming the password to be more memorable than a random selection of characters.

However, the problem of remembering whether you used a number 3 or a “$” for a particular password remains, leading to many people utilizing the same password across many disparate applications. Consumers are notorious for recycling similar flavors of their password which leads to cascading impact from a data event that involves breached credentials.

NIST Changes Its Password Strategy

The National Institute of Standards and Technology (NIST), a non-regulatory federal agency of the United States Department of Commerce, surprised the cybersecurity industry early in 2017 by revising its password policy recommendations. NIST develops the Federal Information Processing Standards (FIPS) with which federal agencies must comply and also provides recommendations through its Special Publications (SP) 800-series. Retraction of several common requirements in SP-800-63-3 had many users celebrating good times ahead, but is everything as simple as it seems?

NIST now acknowledges that several previous requirements contributed very little to the resiliency of the password. Users tended to simply add a digit or special character to the end of their passwords and unnecessary expiration caused stress and a tendency to recycle and document new passwords. Instead, emphasis is now being placed on the length of the password as being the single most influential factor when it comes to the entropy of the password, a measure of its randomness.

Passwords should be a minimum of eight characters and that length requirement should adjusted to reflect the sensitivity of the access that is being guarded. Lengths of up to 64 characters should be supported and can be random words strung together as a passphrase. New passwords should be checked against a dictionary of banned words and the number of attempts allowed to enter it be limited.

These new guidelines are intended to make it easier for users to create and maintain strong passwords. Ironically, many organizations were already operating with the new requirements without knowing that it would end up in compliance.

I caution you to carefully consider your password policy options and I also encourage the use of password vaults and easy-to-remember passphrases. Users can indeed have good times without totally negating the value of a robust password. And if an IBM i user still manages to disable their account, they can always use Powertech Password Self Help for IBM i to get themselves up and running again!